Online privacy: It's time for a new security paradigm
- By Richard Spires
- Sep 23, 2014
Internet use across industries such as government, health care, retail, education and finance relies on the ability to access personally identifiable information (PII) scattered across different applications and organizations. Further, the proliferation of software-as-a-service models and online platforms is further dispersing our personal data.
Yet as evidenced by a number of high-profile data breaches in the past few months -- and, based on Verizon's 2014 Data Breach Investigations Report, the number of data breaches is growing -- the current need to protecting our PII exceeds the capabilities of existing security, privacy and interoperability technologies. Meanwhile, data breaches and resultant identity theft are imposing enormous societal economic costs and personal hardship for individuals who have had their PII compromised.
Fragmentation of online identity means that we as online users are forced to struggle with proliferating accounts and passwords. And we are regularly required to reveal sensitive information about ourselves and repeatedly enter the same information to create accounts that establish new, disparate online identities.
That approach wastes time, undermines privacy and further exposes us to identity theft. Perhaps worse, we must rely on websites and online service providers to protect our privacy and security, whether we want to trust those organizations or not.
In addition, the shortcomings of existing online security models limit organizations from using their most valuable data, which also tends to be their most sensitive data, for online, real-time business processes. Furthermore, organizations and online service platforms are burdened with storing our PII, which they then must protect to try to guard against unauthorized data disclosure.
Now extend those issues to the burgeoning Internet of Things. How can we protect and ensure that the control and use of devices connected online have not been compromised? How comfortable are we with having devices that can affect human safety controlled via the Internet?
Today's enterprise-based approaches -- which involve each organization developing its own identity, security and privacy architecture -- cannot meet those challenges. Point-to-point integrations across organizational boundaries are difficult at best and do not easily scale up to interact with more organizations, which is particularly troublesome for regulated data such as medical, educational or financial records.
Verifying authorization requires matching our online identity with the identity attributes in the records being requested, or verifying that the user has a relationship with the subject of the records (e.g., the user is the custodial parent of a child) or has an affiliation with an organization (e.g., is the principal of the school where the child is enrolled). That typically involves matching our identities and relationships with the subjects of records across multiple organizations and applications, each of which often has its own identity models and security policies.
Compounding the challenge is the fact that verifying identity, relationships and authorization typically involves evaluating sensitive and proprietary information about us and our relationships. Often, that information is more sensitive than the content to be accessed.
So what is the solution? There needs to be a general-purpose capability that dynamically discovers and connects distributed data and applications and enforces granular privacy, security and organizational policies to enable trusted interactions among people, organizations, applications, online services and the Internet of Things.
A set of capabilities under the banner of "trust management" has been developed in academia and is now beginning to be commercialized. It encompasses the methods and technology for assessing and protecting the information required to make decisions about online trust relationships. Establishing a system for trust management requires a common infrastructure for specifying policies that can protect yet enable access to data and systems, representing identities and credentials, and evaluating and enforcing an organization's policies -- all while maintaining privacy.
Trust management does not replace the need for today's cybersecurity solutions, but the need for trust management is becoming more crucial if we as a society are to fully exploit the value of the Internet and the promise of easily and confidently interacting with other people, organizations and things.
In the interest of full disclosure, I am so convinced of the ability of trust management to improve online information sharing and address privacy challenges that I recently joined Resilient Network Systems, the developer of the Trust Network platform for online trust management.
Richard A. Spires has been in the IT field for more than 30 years, with eight years in federal government service. He served as the lead for the Business Systems Modernization program at the IRS, then served as CIO and deputy commissioner for operations support, before moving to the Department of Homeland Security to serve as CIO of that agency. He is now CEO of Learning Tree.